EDF-2026-RA-SIMTRAIN-MSAI Β· European Defence Fund

The AI framework's trust layers β€” explained simply, case by case

The call funds an AI system that helps the military plan, decide, train and practise in simulation. vExpertAI builds the layers that make that AI connected, trustworthy and deployable β€” watch each layer come online on the right.

~€8M Β· 100% funded 36 months β‰₯2 of 4 use cases vExpertAI GmbH Β· Germany
L0 Β· Real systems β€” actual C2, sensors, networksEND-USER
L1 Β· Simulation engine β€” the battle worldM&S PARTNER
L2 Β· Interoperability β€” NATO data languagesvEXPERTAI
L3 Β· AI core β€” agents, plans, recognizersvEXPERTAI +
L4 Β· Assurance β€” robustness Β· explainability Β· human controlvEXPERTAI
L5 Β· Sovereign deployment β€” sealed, in-countryvEXPERTAI

The framework in five layers. Highlighted = vExpertAI. Our layers plug into any standards-conformant engine.

Start here

Two things working together: a brain and a practice-ground

The project, in plain words

Think of the project as building two things at once. A brain β€” AI that reads the battlefield picture, proposes plans, spots threats and helps commanders decide faster. And a practice-ground β€” an advanced military simulation where those plans, that AI, and real soldiers can be tested safely, again and again.

The brain must plug into the army's real command systems, work alongside NATO allies' systems, and β€” crucially β€” be trustworthy: hard to fool, hard to poison, hard to hack, with a human always in control of important decisions.

vExpertAI's job: we are not the simulation-engine builder. We build the AI brain's working parts, the trust-and-security layer around them, and the ability to run everything on a sealed, in-country system. The four tabs above walk through each official use case β€” what it asks for in plain words, and exactly where we add value.

The four cases at a glance

Use caseOur roleThe rare thing we bring
1 Β· Battle dress rehearsalSupportThe translator between real command systems and simulation + the black-box recorder
2 Β· Human + AI teamsLeadAn AI teammate that fails on command β€” and the metrics of the human response
3 Β· AI battle plansBuild the systemExplained, challengeable plans turned into approved formal orders in minutes
4 Β· Synthetic sea dataCo-leadThe data factory + the anti-poisoning security the call explicitly requires
All Β· AI securitySignatureGenuine red-team practice + sovereign, air-gapped deployment
The one-line picture The simulator is the flight simulator; vExpertAI is the instructor who can make the engine fail on purpose, the black box that explains every decision, and the locked room that keeps it all secure.

Use case 1

The full dress rehearsal of a battle

Supporting role The simulation-engine partner leads; we make the rehearsal connected, trustworthy and measurable.

Live view Β· what our translator layer does

REAL C2the army's actual command software
vEXPERTAI TRANSLATORNETN-FOM v4 Β· C2SIM Β· HLA
SIMULATORthe practice battle

⚠ SPOOFED RADAR TRACK INJECTED β†’ FLAGGED: low confidence, single source

● REC every trigger Β· evidence Β· approval Β· timing β†’ black box replay: rewind to minute 40, change one input, re-run

What you're watching: orders and map data flowing both ways through our translator β€” then a fake radar track is injected as a stress test, gets flagged, and everything lands in the black-box recorder.

The official ask, in plain words

Before an army trusts a whole chain of systems β€” command software, AI, simulators, people, across land, sea, air, cyber and space β€” someone must measure how well the entire chain performs together, not each piece alone.

Three ingredients must run at once: the army's real command software (not a mock-up), an AI-driven simulated battle, and real officers making real decisions. Three stages: prepare the scenario, execute the battle, analyse what happened.

Stage 1 Β· Preparation

Make the real and the simulated speak one language

The problem: the real command system, the simulator and the AI each speak a different data "language." Until they're connected, there is no end-to-end anything β€” just three boxes that can't talk.

What we bring β€” the translator layer. The real C2 exports its operational picture; we translate it into what the simulator understands, and simulation events flow back onto real command screens. We commit to dated, checkable NATO standards: NETN-FOM v4.0, C2SIM, HLA / STANAG 4603.

Picture this

Today, a joint exercise means engineers spending weeks hand-copying unit positions, orders and maps from the command system into the simulator β€” and the two drift apart the moment the exercise starts. With the translator layer, an officer loads tomorrow's real operational picture into the rehearsal in minutes, and both sides stay in sync throughout.

Stage 2 Β· Execution

Run the AI, keep the human in charge, stress the system

  • The orchestrator. Enemy behaviour, picture-fusion and decision-support agents must coordinate in real time. Proof this isn't slideware: our 5-agent system resolved a live network incident in 8 seconds, on stage at Cisco DevNet.
  • The human-control gates. Every AI suggestion passes an approval gate β€” the officer decides, the AI proposes. This is how all five of our production agents already ship, audited, at enterprise customers.
  • The stress-test injection. Mid-rehearsal we deliberately spoof a radar track or degrade the network β€” and measure whether AI and officers notice and cope.

Picture this

Forty minutes in, our harness silently injects a fake enemy track into the sensor feed. The AI assistant flags it: "low confidence β€” single source, no corroboration." The duty officer checks, discards it β€” and the exercise report later shows exactly how long detection took. That is a system-of-systems measurement, not just "did the plan win."

Stage 3 Β· Analysis

Prove what happened, decision by decision

The problem: after the rehearsal, the staff needs more than a score. They need: which decision, by whom, based on what information, caused which outcome?

What we bring β€” the black-box recorder and replay. Every trigger, every piece of evidence the AI saw, every recommendation, every human approval, every timing β€” logged automatically. Any sequence can be replayed: rewind to minute 40, change one input, re-run. The call explicitly requires replayable data streams β€” a requirement most bidders will treat as an afterthought. For us it is our regulator-grade audit pipeline, running in production today.

Who owns what

PieceOwnerWhy
Battle engine β€” physics, terrain, unitsM&S partnerWe don't own a simulation engine β€” by design
Connect real C2 ↔ sim ↔ AIvExpertAITranslation-layer engineering is our production pattern
AI orchestration + human-control gatesvExpertAIDevNet-proven orchestration; human-in-the-loop is shipped behaviour
Stress-testing under spoofing / jammingvExpertAIOur security heritage, applied to the exercise
Black-box recording, replay, analysisvExpertAIOur audit pipeline, running in production today
In short We are not the star of this show β€” we are the stage, the safety officer and the camera crew. The M&S partner provides the battle; we make it connected, trustworthy under attack, and provable afterwards.

Use case 2

Teaching people and AI to work as a team

vExpertAI leads Our strongest fit β€” built on a capability few others have.

Live view Β· the failure drill

πŸ€–AI TEAMMATE
labelling boat contacts
πŸ’‰INSTRUCTOR INJECTS
poisoned model: hostile boat reads "friendly"
πŸ§‘β€βœˆοΈOPERATOR NOTICES
cross-checks, overrides
πŸ“ŠSCORE
detected in 12s Β· 0 errors after handover

DRILL RUNNING…

What you're watching: a training drill on loop. The AI teammate is deliberately sabotaged (it turns red), the operator catches it and takes back control, and the team gets a measured score.

The official ask, in plain words

Soldiers and AI assistants must learn to work as one team β€” including knowing when the machine should do more (routine work, information overload) and when the human must take back control (ambiguity, high stakes, machine failure).

The remarkable part: trainees must be deliberately exposed to AI failures and adversarial attacks during training β€” so they learn, by experience, what a wrong or manipulated AI looks like. And team performance must be measured with practical metrics, not impressions.

Component 1 Β· The failure playbook

An AI teammate that fails on command

The problem: you cannot train someone to catch a failing AI using an AI that never fails. Someone must make the machine fail β€” realistically, on schedule, without the trainee knowing.

What we bring: a library of realistic failure modes β€” a sudden confidence collapse, a slow accuracy drift, an adversarial "sticker" attack, a poisoned recommendation β€” that an instructor injects like difficulty levels during a live exercise. Built from our security-testing heritage: we already break AI systems on purpose for a living.

Picture this

An operator tracks boats with an AI that labels each one "friendly" or "threat." Secretly, we poison the AI so it starts calling a hostile boat "friendly." Does the operator notice? How long until they catch it and override? We measure exactly that β€” and the operator leaves having felt what a fooled AI looks like, so they will spot it for real.

Component 2 Β· The automation dial

Who is in charge, moment by moment

The problem: "adaptive levels of automation" means control must shift smoothly between human and machine as the situation changes β€” and both sides must always know who holds it.

What we bring: the controller that moves the dial, and the trust-aware interface that shows the operator how confident (or unsure) the AI is right now. Every shift of authority is logged.

Picture this

Contacts pile up and the operator is drowning. The controller hands the routine tracks to the AI and surfaces only the ambiguous ones to the human β€” then the metrics show whether that handover actually cut the errors, or just moved them.

Component 3 Β· The scoreboard

Practical metrics β€” including a hidden requirement

What we bring: the measurement pipeline β€” detection time, recovery time, error rates, over-trust and under-trust patterns β€” generated automatically from the same audit-trail machinery we run in production.

The hidden requirement it answers: the call demands mitigation of bias in AI-influenced human decision-making β€” not just bias in the model. Measuring when operators over-trust a confident-but-wrong AI is precisely that requirement, answered with instruments rather than intentions. Most bidders will miss it.

Who owns what

PieceOwnerWhy
Failure-injection harness + attack libraryvExpertAIThe rare piece β€” built from our offensive-security practice
Adaptive-automation controller + trust interfacevExpertAIExtension of our shipped human-in-the-loop machinery
Team-performance metrics pipelinevExpertAISame instrumentation discipline as our audit trail
Experimental design, ethics, human subjectsResearch partnerScientific validity belongs with an academic human-factors team
Training scenarios & doctrineMilitary end-usersOperational realism comes from the people who live it
In short The call explicitly asks for exposure to AI failure and adversarial actions. Most teams can build an AI helper; almost none can make it break convincingly, on demand, and measure the human response. That is exactly our home turf.

Use case 3

AI that proposes battle plans and drafts the orders

vExpertAI builds the system The core learning research is led by the consortium's research partner β€” and we say so.

Live view Β· from live map to approved order

πŸ—ΊοΈREAD THE
LIVE MAP
πŸ’‘GENERATE
PLANS AΒ·BΒ·C
🎯WAR-GAME
EACH IN SIM
βš–οΈRANK +
EXPLAIN WHY
βœ‹COMMANDER
APPROVES
πŸ“„ORDER
WRITTEN
PLAN A Β· 41% PLAN B Β· 68% β€” avoids ambush zone βœ“ PLAN C Β· 55%

β–Έ FORMAL ORDER GENERATED & SENT β€” 90 SECONDS AFTER APPROVAL

What you're watching: the six-step pipeline lights up left to right. Three candidate plans are war-gamed; Plan B wins with its reason attached; the commander approves; the formal order writes itself.

The official ask, in plain words

The AI reads the live operational map, proposes several candidate plans (Plan A, B, C), tests each one in simulation, ranks them, explains why β€” and then drafts the formal written orders. A commander always approves before anything moves.

The "reinforcement learning agents" in the call text are AIs that learn good plans by playing the scenario thousands of times in simulation β€” like a chess engine, but for operations.

Piece 1 Β· The conductor

One pipeline from map to approved order

What we bring: the agentic system that runs the whole chain β€” read the picture β†’ generate plans β†’ simulate each β†’ compare β†’ present β†’ approve β†’ write the order. Coordinating specialist AI agents into one reliable pipeline is what our production platform does all day.

Piece 2 Β· The "why" you can challenge

Explanations, not verdicts

The problem: a commander will not β€” and should not β€” act on "the AI says Plan B" without knowing why.

What we bring: the explainability layer. Every ranking comes with its two or three decisive reasons, and the commander can interrogate it: change the risk tolerance, and the ranking updates live.

Picture this

A commander must relieve a surrounded unit. The AI proposes three routes and war-games each: "Route B is safest β€” 68% success, avoids the ambush zone, costs 20 minutes more." The commander asks: and if I accept more risk? The ranking flips, with reasons. The commander picks Route B and taps approve.

Piece 3 Β· The order-writer

From decision to formal order in minutes

What we bring: the moment the commander approves, the system writes the full formal order in correct military format and pushes it into the command system β€” a task that traditionally takes a staff 30–45 minutes of drafting and re-typing.

And the safety rail: the human-approval gate is not a checkbox β€” it is the same audited approval machinery our enterprise agents ship with, extended with doctrine-bounded authority levels.

Who owns what

PieceOwnerWhy
Reinforcement-learning research (the plan-generating brain)Research partnerDeep academic work β€” we deliberately do not claim it
Agentic pipeline around the RL corevExpertAIMulti-agent orchestration is our production platform
Explainability + challengeable "why"vExpertAIExtension of our audit / decision-rationale machinery
Order generation in military formatsvExpertAIStructured, audited language generation β€” shipped pattern
Doctrinal validation of plansMilitary expertsPlans must be sound by doctrine, not just by simulation score
In short The research partner teaches the AI to find good plans; we build everything that makes those plans usable β€” explained, doctrine-checked, human-approved, and turned into a ready-to-send order in minutes.

Use case 4

Manufacturing the data no one can film β€” threats at sea

vExpertAI co-leads The scenes are rendered by the simulation-engine partner; maritime realism is validated by domain experts in the consortium.

Live view Β· the data factory

0 labelled frames
generated

πŸ›‘ provenance check: every frame signed at birth Β· 1 poisoned sample detected β†’ quarantined

What you're watching: the simulated sea is rendered into sensor frames, each arriving already labelled (βœ“). The counter climbs into the thousands β€” and one poisoned sample (βœ•) is caught by the provenance check and thrown out.

The official ask, in plain words

To train an AI to recognise attack sea-drones (USVs), smuggler boats, swarm attacks or near-invisible semi-submersible craft, you need thousands of labelled examples β€” and that footage barely exists. You cannot schedule an adversary's drone for a photo shoot.

Sea drones make the point sharpest: recent conflicts have shown that small, cheap uncrewed craft can threaten major warships β€” yet they are tiny on radar, sit low in the water, move fast, come in swarms, and are easily mistaken for fishing skiffs or debris. Real attack footage is scarce or classified. Synthetic data is not a convenience here β€” it is the only way.

So the call asks: generate realistic fake sensor data in simulation β€” camera, thermal, radar, ship-signal feeds β€” and use it to train recognition AI that then works on the real sea. This maritime example is named in the call itself.

Piece 1 Β· The data factory

Realistic, labelled sensor data on demand

What we bring: the pipeline that turns simulated sea scenes into training data β€” rendering requests to the simulation engine, multi-sensor variation (day, night, fog, sea state), and automatic labelling: every frame arrives already annotated, because the simulation knows exactly what it drew.

Picture this

A swarm of five attack sea-drones approaches at dusk, hulls barely above the waterline β€” the kind of threat there is almost no real training footage of. The factory generates thousands of realistic thermal and radar sequences of exactly that: different swarm sizes, sea states, approach angles, day and night, each frame perfectly labelled. The recognizer trains on them β€” then we test it against the few real clips that do exist, and it recognises the threat it never truly "saw." The same factory covers semi-submersibles and dark smuggler craft.

Piece 2 Β· The recognizer

The AI that learns to spot the threat

What we bring: the detection models trained on the synthetic data, tuned to bridge the gap between simulated and real sensor imagery β€” including cross-checking sensors against each other. A contact whose camera image and radar signature don't match is itself a signal β€” and for drone swarms, the recognizer tracks behaviour over time, not just single frames: five small contacts converging on an intercept course mean something one blurry snapshot never could.

Piece 3 Β· The security β€” a named call requirement

Data that can't be poisoned, a recognizer that can't be fooled

The problem: a recognizer trained on synthetic data has a supply chain β€” and supply chains get attacked. Poison the training data and the AI learns a hidden blind spot; spoof a ship's broadcast identity and the AI mislabels the threat.

What we bring: signed provenance for every training sample, tamper detection on datasets and models, and adversarial testing of the finished recognizer against decoys and spoofed signals. The call names protection against dataset poisoning as a required competency β€” for us it is core business, not a compliance paragraph.

Who owns what

PieceOwnerWhy
Sea-scene rendering (physics, sensors, weather)M&S partnerThe simulation engine draws the world
Data factory β€” pipeline + auto-labellingvExpertAIData-pipeline engineering with provenance discipline
Threat recognizervExpertAIModel training and sim-to-real tuning
Anti-poisoning + anti-spoofing securityvExpertAINamed call requirement; our core business
Maritime & sensor realism validationDomain expertsWhat a threat really looks like on each sensor
In short We make the data no one can film β€” with attack sea-drones as the sharpest example β€” train the AI on it, and secure the whole chain against poisoning, which the call explicitly requires. And the drone thread runs both ways: here the drone is the threat to recognise; in Case 2, a drone swarm is the teammate an operator learns to supervise. One framework, both sides of the drone problem.

Runs through all four cases

Keeping the AI itself un-hackable

Our signature The capability that makes every other use case trustworthy.

Live view Β· the immune system

DECOY PATTERN β†’ POISONED DATA β†’ ← SPOOFED SIGNAL
πŸ›‘οΈ

What you're watching: known AI attacks β€” decoys, poisoned data, spoofed signals β€” thrown at our own system in the lab, on purpose, so they bounce off in the field.

In plain words

If an adversary can trick, poison or hack the AI, the AI becomes a liability instead of an advantage. Across all four cases we run the immune system: attack our own AI on purpose β€” decoy patterns against recognizers, prompt injection against agents, poisoned data against training pipelines, mapped to the public MITRE ATLAS catalogue of AI attacks β€” find where it breaks, harden it, re-test.

And a human can always understand and override the system: every recommendation is explainable, every action gated, every decision logged. This aligns directly with NATO's Principles of Responsible Use of AI and the direction of its Data and AI Review Board.

Picture this

Before anything is fielded, our red team feeds the sea-threat recognizer a decoy pattern that makes it read a warship as empty sea. We catch that weakness in the lab, patch it, and re-test β€” so no adversary ever gets to use that trick outside the lab.

Add sovereign deployment β€” the entire framework runs sealed, in-country, offline, with no external cloud dependency β€” and these two capabilities together are what few AI or simulation teams can offer.

In short Very few simulation or AI teams bring a genuine offensive-security practice. We attack the AI so the adversary can't β€” and we ship it sealed, in-country, offline.

Proof, not promises

Why an enterprise AI company belongs in a defence consortium

Everything in the four cases rests on capabilities that run in production today at enterprise customers β€” not on slideware. The military content is new work, honestly scoped; the engineering underneath it is shipped, audited and demonstrated in public.

8 seconds

Live multi-agent incident resolution, demonstrated on stage at Cisco DevNet β€” detect, diagnose, propose, human-approve, remediate.

100% human-in-the-loop

All five production agents require human approval before acting β€” audited behaviour at enterprise customers, not a design goal.

Regulator-grade audit trail

Every trigger, evidence item, rule, approval and timing logged β€” the DORA/NIS2 machinery that becomes the exercise black box.

Sovereign by default

Agents run in the customer's cloud or on-premises β€” no shared cloud brain. Built in the EU (Germany), GDPR-native.

What transfers, what adapts, what is new β€” our honesty rule

For every capability we claim, we state three things: what transfers as-is from our production platform, what needs adaptation to military content, and what is genuinely new work. Example: our audit-trail machinery transfers as-is; its data schema adapts to military fields (rules of engagement, sensor provenance); mapping it to NATO's responsible-use evidence language is new. That discipline is how a research proposal stays credible.

The bottom line vExpertAI brings the three things this call is hardest to staff: agent orchestration that demonstrably works, a real offensive-security practice for AI, and sovereign, sealed deployment β€” wrapped in the honesty about what is ours and what belongs to our partners.